That is probably the easiest way to do it. You can use a wildcard SSL cert on your reverse-proxy and also, do a redirect of all non-SSL traffic to secure.*.foo.com to the SSL version. This can be controlled within your webserver config.